JPCERT-AT-2014-0024 JPCERT/CC 2014-05-15 <<< JPCERT/CC Alert 2014-05-15 >>> Alert regarding the usage of old versions of Movable Type https://www.jpcert.or.jp/english/at/2014/at140024.html I. Overview JPCERT/CC has received multiple incident reports regarding compromised websites related to the usage of old versions of Movable Type. According to the information that we have obtained, attacks leveraging known vulnerabilities in Movable Type to place arbitrary files on the websites and embed iframes or obfuscated JavaScript to redirect to an attack sites have been observed. We have not been able to identify that all compromises of websites that use old versions of Movable Type leveraged vulnerabilities, but if using a vulnerable version, there remains a possibility that attackers may leverage a vulnerability to compromise the website. As a proactive measure, we recommend updating not only Movable Type but the OS and other software to the latest versions. Website administrators are recommended to refer to "II. Solution - For Website Administrators" and check if their website has been compromised and consider implementing any countermeasures as necessary. In addition, JPCERT/CC has observed that the attack sites have attack tools referred to as Exploit kits embedded in them. If the software installed on the user PC contains any vulnerabilities, when the website is viewed, the user is redirected to the attack site and the PC may become infected with malware. The redirected attack sites that have been observed by JPCERT/CC, leverage known vulnerabilities in the following software. Updating the following software along with other software and the OS to the latest versions will reduce the probability of being infected by malware. Please refer to the "II. Solution - For Users" and update the software to the latest versions. - Oracle Java - Adobe Reader - Adobe Flash Player - Internet Explorer II. Solution [For Website Administrators] In order to prevent your website from being compromised and user PC's from being infected by malware, please check the following and consider implementing any countermeasures as necessary. (Points to be Check) - Check if Movable Type being used is the latest version - Check if the OS and software used for the website are the latest versions - Check the web server FTP / SSH logs to see if there is anything unusual with the source IP address, access times, etc. - Check if web contents is being modified to embed malicious program in it - Check if the PC used to update the website is infected with malware. If administration of the website is outsourced, verify with the outsourcing company that the PC's used are not infected with malware (Countermeasures) - Update Movable Type to the latest version Security Updates for 6.0.3, 5.2.10, 5.17 now available (Japanese) http://www.movabletype.jp/blog/6035210517.html - If Movable Type cannot be updated for some reason, please refer to the following for any workarounds that may be implemented. Advices on how to use Movable Type safely (Japanese) http://www.movabletype.jp/blog/secure_movable_type.html - Update the OS and software being used for the website to the latest versions as necessary - Only allow website content updates from designated locations and PC's (IP address, etc) - Change the FTP / SSH account passwords used for website content updates to a password that cannot be easily compromised by means of brute-force attacks and dictionary attacks. (Passwords are recommended to be at least 8 alphanumeric characters in length and also be a string that cannot be easily guessed) [For Users] The redirected attacks site leverage known vulnerabilities in order to install malware. Refer the following URL's to update software being used to the latest versions. [Microsoft] Microsoft Update https://www.update.microsoft.com/ Windows Update http://windowsupdate.microsoft.com/ [Adobe] Adobe Flash Player Download Center https://get.adobe.com/flashplayer/ Adobe - Product Updates (Adobe Acrobat¡¢Adobe Reader) https://www.adobe.com/downloads/updates/ [Oracle Java] Free Java Download (JRE 7, English) https://java.com/en/download/ III. References Advices on how to use Movable Type safely (Japanese) http://www.movabletype.jp/blog/secure_movable_type.html If you have any information regarding this alert, please contact JPCERT/CC. ====================================================================== JPCERT Coordination Center (JPCERT/CC) MAIL: info@jpcert.or.jp TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 https://www.jpcert.or.jp/english/